Christa Miller: A decade-long career in an industry that changes as rapidly as digital forensics does is no small accomplishment. This month on the Forensic Focus podcast, we have a special vendor edition featuring one of our long-time sponsors, MSAB. Mike Dickinson, the company’s chief business development officer, is a senior business professional specializing in technology for law enforcement, military and government agencies. He’s held numerous roles within MSAB, directing communications, training and marketing. As such, he’s built up an extensive knowledge of digital forensic solutions for public sector policing. Mike, welcome.
Mike Dickinson: Thank you, Christa. That was a very nice introduction.
Christa: Thank you. It’s good to have you here. Thanks. I’d like to start with a bit of MSAB;s history. The company touts its sole focus on mobile forensics since 2003 and has witnessed two decades of consistent business growth, global acceptance and a stellar reputation. Tell us more, if you would, about how MSAB has charted its path to success and what this means for customers as the second decade comes to an end.
Mike: Sure. Yeah, I kind of like to joke that MSAB is the stealth marketing company you’ve never heard of in this sector. We keep a low profile somehow, despite what we do. The company’s been around since 1984, so it’s quite a long standing company, and has always been involved in computer and mobile device communications, originally modems. Around the dot-com bubble, we were heavily involved in communication software between computers and mobile devices, but in 2002, I think it was, a police officer approached us and said, Hey, we’ve been using your software now to gather evidence for crimes, and the tech team here went, really? That’s… oh! And they had never even considered that idea. And so the police officer explained all the complexities they had around getting the evidence off, and the chain of custody concept, and really what happened then was a three-month intensive exercise.
The company looked at its opportunities in the existing market, which was dying off because modems were built into mobile phones at that stage and new technology was coming online. We saw that smartphones were an exciting opportunity. At that time, feature phones were an exciting opportunity, but the whole market, and we decided that we were going to commit to a forensic tool product. So in 2003, we did a left turn and everything since then has been about providing mobile digital forensic tools to meet the chain of custody and evidence.
And I’m really proud to say we’ve been growing ever since. I myself was recruited back in 2008 and started there in the UK, and the company’s expanded out of our headquarters in Sweden — where I’m talking from today — since then. One of the lovely things is that we’ve been able to grow successfully with a good track record and profitability and growth year on year.
Christa: I don’t remember who I interviewed in 2003, but the first article I ever wrote personally about mobile forensics was that year. And I did talk to somebody about XRY at that time.
Mike: Wow, OK, you’ve got some credibility in this industry!
Christa: That might be debatable, but it’s okay. So that brings us up to today, where we’re looking at the challenge of dealing with ever increasing security on data, as well as remaining up to speed with an ever-growing number of apps, services, and artifacts. What kinds of challenges do these present to customers and what are they telling you when they come to you in need of support?
Mike: Yeah, the challenge is huge today, and it’s grown exponentially. I think I’d start by saying this: If you thought what we’ve seen in the last decade is impressive in terms of technology, you haven’t seen anything yet. The next decade I predict will be a technology… I mean the smartphone is the black hole of technology, it’s just sucking in everything. And there’s going to be more and more data, greater use cases, more demand for products and digital forensics in general, across the entirety. And the growth predictions for this sector are huge. Reminiscing on my journey to work this morning, I took out my smart phone and realized it just does everything: it’s the timetable. It is the train ticket. It is my music center. I’m reading my emails. Everything is happening on it. Everything that I used to buy another device for it previously, or had an alternative solution, everything is now on the smartphone, and that will continue.
In some ways. It’s quite frustrating because just to stay still and offer the continuous supply of good quality products that we offer today, you have to do an awful lot of work, because if you’re supplying and supporting all the smart phones out there, they are not static. They are dynamic instruments. We tend to think of phones historically as a block feature phone and it doesn’t change once you’ve got support. That’s great, but that’s not the case.
Now a modern Android device, new operating system comes on stream, that changes the behavior of the device. A new app, updated pretty much every month. WhatsApp changes where the database, where the data is stored, suddenly backup for Android is no longer allowed, or is permissible, or isn’t. And you constantly have to do development work in the background, but it’s a bit like a swan gracefully on the surface. You’re trying to look like you’ve got everything under control, but underneath you’re paddling furiously, because you’ve got to work furiously just to keep pace with where you are and what you already support, and then plan for new features and functionalities, new technology as things come on.
So yeah, it’s really challenging to keep up with the apps, the services, support cloud, deal with new artifacts, things that, you know, you just can’t imagine would have existed. I remember last year we said, okay, right now we’re going to have a blood pressure and heartbeat and steps and what altitude for steps. And these are new properties, new categories. We have to define them. We have to put them in an easy to read way. So there’s a tremendous amount of work, and you’ve got to continue to grow. And I think this is a sector that will demand increasing research and development and increasing investment just to get to where people need us to be.
Christa: And I want to key in, especially on the point you just raised about presenting it in an easy to read format, because it is not just the decoding of the data, but also the sorting and the structuring, the presenting it, in a way that is not just easy for the investigators themselves to understand, but also for them to be able to present in court, potentially. And something that’s easily viewable for juries and attorneys to understand. So how do you balance that challenge?
Mike: That’s a great question. Presenting evidence is some form of art work, and high art at that. And there’s literally no way to develop a tool that will meet every legislation in every court in the land, across the globe. So you have to do best efforts based on customer feedback. And it’s really important that we listen to people. It’s a really underrated skill, just presenting the evidence and the challenges that produces in terms of, well, okay, we’ve got this new artifact, you know, it’s a pulse, but where should we put it in terms of a category, and how are we going to easily present that? Is it security? Is it health? Is it welfare? Where all the different places we’re going to put that data? And then how do we allow users to search for that functionality in a constructive thread that’s logical?
When we moved to our XAMN solution quite a few years back now, three or four, to introduce the concept of filters, to try and help with this problem of who, what, why, when and how, depending on each case.
So historically we’ve always had — I think most tools in the industry have had that sort of category based structure: here’s the course, here’s the messages, here’s the pictures and so on and so forth — but that just becomes an impossible way to find the data when it cross correlates. You know, if you want to find the pictures, but they have to come from WhatsApp and they only have to come in the last month. That’s not an efficient system to have to go into each of the three categories and then try and work out. You need to be able to filter that. So we’ve tried to develop a solution that layers on layers. So you say, okay, we only want to see stuff from WhatsApp. In fact, we only want to see the pictures from WhatsApp, and we only want to see them from the last month; now show the results. And so that’s one of the ways that we try and improve the efficiency of the operators so they can get questions answered quicker, really.
Christa: And one other thing that you mentioned previously was the need to continue to grow as a business. As far as the COVID-19 pandemic, business obviously is ongoing. I feel like this is one industry that isn’t suffering during the pandemic, but there’s also a lot of uncertainty. Tell us what this means for your business, as well as your customers: what are the challenges along with the opportunities and what is MSAB doing to help users?
Mike: Yeah, it is interesting. A bit, I guess, like the other tech companies, there’s almost a boom in the demand for our products because more people are stuck at home. More people are on their phones. More people are engaging digital media as a means of communication. So during the pandemic season, there’s been even less personal one-on-one meetings and more recorded digital evidence trails of communication between people, whether it’s chats, calls, a Zoom call like this, or whatever else it might be. So yeah, the industry potential is huge.
That’s not to say it doesn’t have some real viable commercial impacts. We’ve seen that many customers have pressing emergency resources that means they’re not stopping the decision, but they are delaying it because they need to focus elsewhere for the moment. So it is recognized in the industry that there are pauses with law enforcement agencies, private sector customers, reorganize staff.
What I will say is: super impressive how the world, and generally our industry, has moved. I heard it referred to the other day that what happened in March was like a digital Dunkirk. It was withdrawal of services across the globe, from offices and resources, to working from home and using enabled technology. MSAB were very lucky. We’d already deployed a technology we were mostly running on Microsoft based solutions, because our customers were mostly running Microsoft operating systems. So we’d deployed teams, and we were nervous as a management team that pulling resources out and moving them to remote locations might be a problem. But it was incredibly seamless. Really. We were quite delighted and became, we kind of, sort of patting ourselves on the back: I’m glad we did this six months ago and not now we have a pandemic, but that was just good luck really.
So we’re seeing changes in behavior where virtually everything’s going online. And I think that’s what the future envisages for us. We’re going to have to do more interactivity. We’ve been running a lot more webinars, and we’ve got six months, now, of video presentations available to our customers free of charge online. We’re doing a lot more interactions by mediums like Zoom and Teams or Amazon solutions. And generally we’re trying to be more efficient.
One thing I have noticed is with interviews like this is you have to get to the point pretty quick. I think people have got Zoom fatigue. They are an endless back to back meetings. You’ve got to make the point, make it quick and then move on. Because if you’re just being nice and polite, it doesn’t work in this environment. So you’ve got to get it to them,
Christa: Which is a little bit frustrating. I’m sure in some regards, because we’re as humans used to a little bit of small talk anyway, right? It needs to start there, the relationship building that you want to have with a long-term customer.
Mike: Yeah. I think that’s true. I mean, everybody’s different. So this is a broad brush opinion on things. And MSAB is very proud of the relationships we have with the customers. We’ve worked a long time to keep a good reputation with the existing customers. We have those relationships, it’s seamless to do it. What’s interesting is when you’re making new presentations to people who haven’t heard of you before, and you’ve got to go, okay, this is who we are, and this is what we do, but let’s show you the stuff straight away, because we’ve seen, you’ve got to know your stuff and put that presentation out there quite quickly about what benefits you can bring.
Otherwise, the worst thing in the world is because they’re on their computer in order to have this meeting, they’re also right next to their email. And if they’ve got three monitors, you watch their eyeballs and they start seeing the emails coming in and starting to read on the webpage, and you’re like, Noooo, focus here!
Christa: Yeah, that sounds challenging, for sure. So along with the pandemic, there’s other global trends that we’ve seen. There are some historic changes in global politics in Hong Kong, for example. More verticals among these changes have demand for mobile forensics to strengthen their against crimes within their lawful authority. Although it’s arguable that lawful authority may not necessarily always be moral or ethical in some jurisdictions, what’s MSAB as a vendor selling into some jurisdictions’ position on matters like these?
Mike: Yes. that’s a good question. Thank you for asking. I think that, probably the top level answer here is, that the more powerful our technology gets and the tools and the digital forensics get, the more responsible we have to be about the risk of misuse. MSAB is a Swedish company we’re based in Europe, and Europe in particular as a legislative body is quite keen on promoting human rights. And in fact, I think yesterday in the European parliament, there was new legislation on what they call export controls for dual use products. Our main digital forensic software for mobile forensics is called XRY. And it’s classified in Europe as a dual use tool. What that means is that it can be used for good by law enforcement to solve crimes, but it also, it could be used for oppression by a military junta or authoritarian regime to breach the human rights of the citizens in which the country is based.
So there are quite a lot of controls, and we’ve actually been under export controls for over eight years, as to where we can supply technology. Because it is classified as a cyber weapon because it’s very powerful in what we can do, the security we can breach, how we can override things and get to the data and recover deleted data. So it’s about a balance. It’s about vetting customers, making sure there’s a legitimate need. In Europe, North America, most of the developed nations, it’s no problem to supply a full technology. But interestingly, it’s one of the reasons why MSAB hasn’t been so proactive in the private sector. A lot of other companies in the sector have been pushing e-discovery and things like that. We do supply customers in the private sector, banks, forensic accountants, but we haven’t really pushed it very hard because we’re cognizant of this need to focus on law enforcement, government and military customers, but it is a growing sector. And we recognize that.
I joked earlier in this conversation that we’re stealth marketing company, you’ve never heard of us, but ironically, the one time I was in the press this year was because of something I didn’t do, or something I pulled back from doing. So over the summertime, the US passed new restrictions in response to China’s movements in Hong Kong. And this is political as much as anything else, but we have to respect international law. And there was an embargo placed with penalties for people who supplied certain members of the regime in Hong Kong. And taken into effect with that, we had to recognize that yeah, the position there is when we need to take a leadership position on. Is it right that we continue to supply that technology? So we made the decision this summer to pull out of supplying technology to both China and to Hong Kong. And that was the thing that hit the headlines in Bloomberg. So that was the press. So yeah, we made the press for stopping supplying our technology. Yay. I’d rather it was for what we were doing, but yeah.
But that’s the price, you have to make this difficult balance. Yes, we’re a commercial entity. Of course we are here to make a profit. We have to, we’re a publicly listed company. So our shareholders expect to too, but it has to be balanced about, you know, is this the ethical or the right moral thing to do as well?
Christa: Yeah. Yeah. And I think that’s been a part of the industry discussion all summer, something that a lot of people were talking about in terms of DFIR for good.
So that brings us to the future. We’re already seeing, as we’ve been discussing, more digital data, but in particular, more online crime, thanks to COVID in part. Data coming from an even larger set of disparate origins, such as the cloud, third party warrant returns, internet of things, et cetera. How are your customers working to address these issues, and where are they looking for support from vendors like MSAB?
Mike: Yes. I think the easy answer to that is “everywhere.” But let’s try and break it down a little bit more. I mean, we’ve got a world-class technical support team that they just came back with a rating actually, 500 users give us 98% five star rating on our technical support. So I’d like to drop that in as a blatant plug for: if you have problems we can help you. And everybody has issues, because it’s software, it’s technology, and phones are particularly awkward.
The future trend is just more of the same. And as I said earlier, I think the rate of change is going to be exponentially more. I think the smartphone is at the center of this, just because it’s so incredibly useful. And so many things are being ported into the app environment software that used to be a physical object somewhere else.
We can see the change already in terms of cloud. And I think that’s going to be hugely important in the future. If I was to try and guess 10 years from now where we will be, we’ll be on some sort of 6g format. And I would imagine most of the data is not actually physically held on the device, but in a cloud environment. And you need all sorts of legal challenges about whether you’re permitted access to that. In a private sector environment, with bring your own device, you’ve got this whole question of, well, am I allowed to look at the contents of this phone? Was it an employee’s device? Do I have the rights to a look at that content? What are the privacy issues here? Equally, if it’s a company issued phone, okay, do I have to section off the personal data here? And then we look at the data that’s relevant to the case.
And that’s something we’ve been working very hard on is again, certainly a lot of legislation coming out of Europe right now, but it’s relevant for the whole world in terms of data privacy and the right to access data, given that most people live in the whole life from the phone now. And I know certainly with my teenage children, they would much rather we had a documented conversation via chat than I ever physically called them, goodness for me, that I would invade their privacy by calling them and actually using words. So you’re going to get this situation where I realize my entire conversations with children is now documented in chat messages, and that’s fine, that’s completely normal, but that’s an issue to think about. And we’re trying to develop tools that help and resolve that, particularly the privacy balance question.
So we see a lot of scenarios… take the very tragic cases going on in Europe right now with the terrorist incident in France, horrible things. I read somewhere in one of the persons that were like 20,000 video images captured of the incident around it from witnesses and members of the public, which is an immense amount of data to go through. But you’ve got the situation where you’ve got a willing member of the public on the street saying, Hey, I saw something. I took a video. I think I want to help you. Here’s the video so I can help you solve this crime. And then the police officer turned and said, Oh, that’s great. You just hand me your personal phone on which you run your entire life and I’ll give it to you. You’ll see it about three, six months. All right. Bye-Bye. That’s just not going to happen. People aren’t — as much as they want to help — they’re not going to give up the device on which their entire life is now operating.
So we’re trying to find technology and solutions that will enable rapid response triaged solutions, whether that’s walking to a police station nearby and coming to a kiosk and saying, okay, you point to me exactly which video it is. Is it this one here? Yes. And having that visibility on the computer screen to say, okay, I’m going to take this one now, I want your permission to do it. And a digital signature. Or even, we’re now coming up with a new option, a product called Raven, which is an Android based app solution. So anybody with an Android based smartphone can download an app from our Raven store, and they’ll be able to connect to a mobile phone on the street — Bluetooth or via cable — and just remove specific data under supervision, so that we can get more cooperation from witnesses, victims, in a triage environment.
Obviously, if we’re dealing with suspects, I still think the right process is a full seizure and retention of the evidence, but that’s some of the stuff that we’re seeing. As things get more complicated, I think we’re going to see more collaboration in industry. We’re working with more partners, we’ve been involved in a new European based project funded called ForMobile–
Christa: That was going to be my next question!
Mike: Great! We’ll come back to that. It’s a really exciting thing. I’ve not been involved in one of these projects before, but I think it’s the European Union’s way of staying ahead of thing and encouraging R&D. So it’s funding for 19 consortium members from across Europe, and also includes an external agency in Kyrgyzstan — look that up on a map, because I had to — and it involves police, academics, and industry players coming together to solve solutions. And then this project is about forensic mobile cellphone extraction.
And the great news is that most of what is going to come out of that will be freely available to law enforcement, not just for Europe, but actually worldwide, and other players in the sector. We’re hoping to come up with a new digital forensic standard, specifically focused on mobile phone technology, that can be adopted throughout Europe and hopefully worldwide. There are many standards out there, so we’re not trying to usurp it, but just the general overlap of good practice.
But we’ve actually… I had quite a wonderful call, because ForMobile facilitators were in a situation where several law enforcement agencies, got together alongside MSAB, also Cellebrite, also Magnet. And we’re all on the call together to try and agree a new standard for mobile forensics, along with a new training package that will be hopefully made available, and new tools and technology that will be embedded in our solutions in the future. So it’s very exciting to be involved in that sort of cross collaboration.
Christa: That is, I know a lot of the papers that have been coming out from some of the academic conferences, namely DFWRS, have talked extensively about standardization and even apart from DFRWS, there’ve been a fair number of papers coming out, that I think as the more we see issues over data privacy, as you’ve been talking about, the more important that standard processes, it sounds like, are going to become.
Mike: Yeah. Yeah. I mean, in the short term, hopefully we can see some results in terms of projects like the case collaborations.
Christa: Right, right.
Mike: That’s really interesting. I know several people that have been involved in that consortium, and from the 1st of January, we’ve put a member of our staff on that project team as well to help them get over the finish line because I know it’s a very challenging, but that should end up being an interoperability standard for most DF tools, which we would fully endorse and support to allow a freer exchange of data. So fingers crossed that the case consulting is something that we can deliver in 2021 as well on the back of that effort.
Christa: Also hoping to write more about that as well. So that’ll be exciting to keep an eye on. Yeah.
Mike: Certainly, ForMobile are sponsoring that and believe that’s the right way forward. And so do we.
Christa: Yup. Yup, yup. Yup. What else is next for MSAB going into 2021?
Mike: Hmm. Well, many thing, I think. We can’t ignore the current COVID situation around us. The news about the vaccine is absolutely fantastic. And I think that realistically, that’s not going to be around for a few months. So I think we have to deal with the current situation. It’s very clear that a lot of companies are still going to be struggling and still going to be online. And I’m not entirely sure where that we will ever go back to the way it was. I think this is one of those pivot moments, a bit like when there’s dramatic events in society. And I think this is indicative of the way we’re going to go.
So in the near future, we’re going to be working on strengthening our analytics solutions, our products, to make investigators work faster, quicker. We’re heavily invested in research and development for new exploits to get into new technology. And I think at this rate… when I started, we did one or two releases a year. Now we’re putting out one every month: 10 or 11 last year, just to keep up with the pace of change that’s going on in the market and support for new devices that come along. So it’s an exciting future. The company continues to grow. It continues to expand. And we want to be part of the industry and help everybody who’s watching today. And if you’re listening and you were interested more about technology, then please get in touch.
Christa: Well, Mike, thank you again for joining us on the Forensic Focus podcast. We appreciate your time. Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information, and forums at www.forensicfocus.com. If there are any topics you would like us to cover, or you’d like to suggest someone for us to interview, please let us know.